[Bug 1827442] Re: [MIR] libheif
Vladimir Petko
1827442 at bugs.launchpad.net
Wed Feb 1 06:11:34 UTC 2023
** Description changed:
[Availablity]
The package libheif is already in ubuntu/universe.
- The package libheif build for the architectures it is designed to work on: https://launchpad.net/ubuntu/+source/libheif/1.14.2-1 .
- It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
+ The package libheif build for the architectures it is designed to work on.
+ It currently builds and works for architectures:
+ amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- - The package libheif is required in Ubuntu main for decoding ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- - The package libheif will not generally be useful for a large part of our user base, but is important/helpful still because no other package in main supports decoding of ISO/IEC 23008-12:2017 HEIF files.
- -The package libheif is a runtime dependency of package libgd2 that we already support.
- - It would be great and useful to community/processes to have the package libheif in Ubuntu main, but there is no definitive deadline.
+ - The package libheif is required in Ubuntu main for decoding
+ ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
+ - The package libheif will not generally be useful for a large part of our user
+ base, but is important/helpful still because no other package in main supports
+ decoding of ISO/IEC 23008-12:2017 HEIF files.
+ - The package libheif is a runtime dependency of package libgd2 that we already
+ support.
+ - It would be great and useful to community/processes to have the package
+ libheif in Ubuntu main, but there is no definitive deadline.
[Security]
- libheif had security issues in the past:
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109: Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file. The github issue: https://github.com/strukturag/libheif/issues/207 is open, though developer comments that it was fixed in 1.7.0
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499: An issue was discovered in heif::Box_iref::get_references in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impact due to an invalid memory read. The github issue: https://github.com/strukturag/libheif/issues/138 is closed, fixed in 1.5.0
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498: Floating point exception in function Fraction in libheif 1.4.0, allows attackers to cause a Denial of Service or possibly other unspecified impacts. The github issue: https://github.com/strukturag/libheif/issues/139 is closed, fixed in 1.5.0.
- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471: libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images. The github issue: https://github.com/strukturag/libheif/issues/123 is closed, fixed in 1.5.0.
- The vulnerable versions are libheif < 1.7.0, current version 1.14.2
- Currently vulnerable packages (CVE-2020-23109) are deployed in focal and bionic. Jammy and up has no known vulnerabilitites.
-
+ - libheif had 4 security issues in the past:
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109
+ The github issue: https://github.com/strukturag/libheif/issues/207 is open,
+ though developer comments that it was fixed in 1.7.0
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499
+ Fixed in 1.5.0
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498
+ Fixed in 1.5.0.
+ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471
+ Fixed in 1.5.0.
+ The vulnerable versions are libheif < 1.7.0, current version 1.14.2
+ Currently vulnerable packages (CVE-2020-23109) are deployed in focal and
+ bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- - Packages does contain extensions to security-sensitive software: the package provides HEIF image plugin used by other software, e.g. imagemagick
+ - Packages does contain extensions to security-sensitive software:
+ the package provides HEIF image plugin which processes untrusted input
[Quality assurance – function/usage]
- - The package does not work well right after install
+ - The package does not work well right after install. There is a bug filed in
+ debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
+ 1.14.2 contains significant regression, HEIC can not be read using viewnoir.
- Basic test cases pass:
- ```
- apt install imagemagick
- wget https://filesamples.com/samples/image/heif/sample1.heif
- convert -verbose sample1.heif test.gif
- wget https://filesamples.com/samples/image/heic/sample1.heic
- convert -verbose sample1.heic test1.gif
- ```
+ apt install imagemagick
+ wget https://filesamples.com/samples/image/heif/sample1.heif
+ convert -verbose sample1.heif test.gif
+ wget https://filesamples.com/samples/image/heic/sample1.heic
+ convert -verbose sample1.heic test1.gif
+ Notice, that libgd2 HEIF support is disabled.
+ - Compiling a sample that tries to save HEIF file produces following output
+ "GD Warning: HEIF image support has been disabled"
- Notice, that libgd2 HEIF support is disabled. Compiling a sample that tries to save HEIF file produces following output
- ```
- GD Warning: HEIF image support has been disabled
- ```
-
- There is a bug filed in debian: https://bugs.debian.org/cgi-
- bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression,
- HEIC can not be read using viewnoir.
[Quality assurance - maintenance]
+ - The package is maintained well in Debian/Ubuntu and has no bugs open
+ - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug
+ - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif
- The package has important open bugs, listing them:
- - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125 Confirm CVE-2020-23109 fix
- - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668 1.14.2 contains significant regression, HEIC can not be read using viewnoir package [confirmed in lunar]. Downgrading to 1.13.0-1 solves the issue.
+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125
+ Confirm CVE-2020-23109 fix
+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
+ 1.14.2 contains significant regression, HEIC can not be read using
+ viewnoir package [confirmed in lunar].
+ Downgrading to 1.13.0-1 solves the issue.
+ - The package does not deal with exotic hardware we cannot support
+
[Quality assurance – testing]
- - The package does not run a test at build time because no unit tests are present in the repository upstream:
- https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- https://github.com/strukturag/libheif
- - The package does not run an autopkgtest because no autopackage tests are present. Note: upstream contains a CI script that can be adapted for autopkgtests: https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
- - The package does have not failing autopkgtests right now
- - [NOT COMPLETE]: The package can not be tested at build or autopktest time because no tests are presentto make up for that here [LINK] is a test plan/automation and example test runlogs/scripts)
+ - The package does not run a test at build time because no unit tests are
+ present in the repository upstream:
+ https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
+ https://github.com/strukturag/libheif
+ - The package does not run an autopkgtest because no autopackage tests are
+ present.
+ Note: upstream contains a CI script that can be adapted for autopkgtests:
+ https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
+
+ This section is not complete, as the test plan/approach for developing
+ autopkgtests needs to be discussed.
+ TODO: - The package can not be tested at build or autopktest time because TBD
+ TODO: to make up for that here TBD is a test plan/automation and example
+ TODO: test TBD (logs/scripts)
+
[Quality assurance - packaging]
- - debian/watch is present and works BUT also get-orig-head target is present in debian/rules that produces a different result. There is no specific documentation on which method to use.
+ - debian/watch is present and works BUT also get-orig-head target is present
+ in debian/rules that produces a different result.
+ There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- - Please link to a recent build log of the package https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
- https://udd.debian.org/lintian/?packages=libheif
+ https://udd.debian.org/lintian/?packages=libheif
+ - Please link to a recent build log of the package
+ https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
+ - Please attach the full output you have got from `lintian --pedantic` as an
+ extra post to this bug.
- Lintian overrides are not present
- - This package relies on obsolete or about to be demoted packages (see https://udd.debian.org/lintian/?packages=libheif), consider using libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
+ - This package relies on obsolete or about to be demoted packages
+ see https://udd.debian.org/lintian/?packages=libheif, consider using
+ libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- - Packaging and build is easy, link to d/rules : https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
+ - Packaging and build is easy, link to d/rules:
+ https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- - End-user applications without desktop file, not needed because application does not provide GUI
+ - End-user applications without desktop file, not needed because application
+ does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
- is at:
- - aom: LP: #2004442
-
- - There are further dependencies that are not yet in main, the MIR process for them is handled as part of this bug here:
- - dav1d
- - libde265
- - x265
+ is at:
+ - aom: LP: #2004442
+ - dav1d: LP #2004446
+ - libde265: LP #2004449
+ - x265: LP #2004453
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- - Team is already subscribed to the package
+ - Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libgd2 in Ubuntu.
https://bugs.launchpad.net/bugs/1827442
Title:
[MIR] libheif
Status in aom package in Ubuntu:
Incomplete
Status in dav1d package in Ubuntu:
Incomplete
Status in libde265 package in Ubuntu:
Incomplete
Status in libgd2 package in Ubuntu:
New
Status in libheif package in Ubuntu:
In Progress
Status in x265 package in Ubuntu:
Incomplete
Bug description:
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on.
It currently builds and works for architectures:
amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding
ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user
base, but is important/helpful still because no other package in main supports
decoding of ISO/IEC 23008-12:2017 HEIF files.
- The package libheif is a runtime dependency of package libgd2 that we already
support.
- It would be great and useful to community/processes to have the package
libheif in Ubuntu main, but there is no definitive deadline.
[Security]
- libheif had 4 security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109
The github issue: https://github.com/strukturag/libheif/issues/207 is open,
though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499
Fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498
Fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471
Fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and
bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software:
the package provides HEIF image plugin which processes untrusted input
[Quality assurance – function/usage]
- The package does not work well right after install. There is a bug filed in
debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using viewnoir.
- Basic test cases pass:
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
Notice, that libgd2 HEIF support is disabled.
- Compiling a sample that tries to save HEIF file produces following output
"GD Warning: HEIF image support has been disabled"
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has no bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125
Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using
viewnoir package [confirmed in lunar].
Downgrading to 1.13.0-1 solves the issue.
- The package does not deal with exotic hardware we cannot support
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are
present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are
present.
Note: upstream contains a CI script that can be adapted for autopkgtests:
https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
This section is not complete, as the test plan/approach for developing
autopkgtests needs to be discussed.
TODO: - The package can not be tested at build or autopktest time because TBD
TODO: to make up for that here TBD is a test plan/automation and example
TODO: test TBD (logs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present
in debian/rules that produces a different result.
There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
https://udd.debian.org/lintian/?packages=libheif
- Please link to a recent build log of the package
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an
extra post to this bug.
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages
see https://udd.debian.org/lintian/?packages=libheif, consider using
libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules:
https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application
does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at:
- aom: LP: #2004442
- dav1d: LP #2004446
- libde265: LP #2004449
- x265: LP #2004453
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aom/+bug/1827442/+subscriptions
More information about the foundations-bugs
mailing list